Feeds

NYT scareware scam linked to click fraud botnet

Ukrainian fan club cheer on all sorts of mischief

Intelligent flash storage arrays

A botnet, initially run through compromised servers in the Bahamas, has been blamed for the recent upsurge in scareware scams.

Researchers from security firm Click Forensics have tied the Bahama botnet to a recent attack that resulted in pop-up ads punting rogue anti-virus software appearing via the New York Times website. The scam attempted to trick surfers into purchasing software called Personal Antivirus by falsely warning that their systems were infected with non-existent threats.

Personal Antivirus, far from offering a clean-up utility as advertised, infected compromised systems with a Trojan. Click Forensics said this Trojan is distributed by a gang of cybercrooks in the Ukraine called the Ukrainian fan club, who are also heavily involved in click fraud.

"We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street," Click Forensics reports. "We’re pretty sure the Bahama botnet is related to the Ukrainian fan club and the NYTimes.com scareware because they each phone back to a bogus 'Windows protection' domain located on the same IP address."

Compromised hosts in the Bahama botnet generate auto-generated clicks as part of a click fraud scam that offers an additional income for crooks. This click fraud traffic is carefully designed to elude detection by search engines and ad networks by mimicking genuine searches. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines," Paul Pellman, chief exec of Click Forensic, explained.

Click Forensics first detected the Bahama botnet when they discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas. Since then the zombie network has been reprogrammed to redirect traffic through other intermediate sites hosted in the Netherlands, US and the UK. The click fraud carried out by the botnet is explained in more detail in the video (below).

More on the Ukrainian "fan club" and its involvement in the NYT malvertisement campaign can be found in a blog post by independent security researcher Dancho Danchev here. ®

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.